Security Operations Fundamentals > [T2]: Lab - Microsoft Sentinel SIEM - How to query stored logs

How to query stored logs

One of your essential tasks as an analyst is to query data to get insights and information about what happened. To query events, Microsoft Sentinel uses a query language called "Kusto Query Language (KQL)."

From Sentinel main page, go to "Logs".

Figure - zoom in


Logs are stored in the "Log Analytics workspace" previously created. These logs are organized as tables. Windows events are stored in a table called "SecurityEvent."

To explore the events stored in these tables and order them in chronological order type:

SecurityEvent
| order by TimeGenerated

Figure - zoom in


Now, find the count of events by executing the following query:

SecurityEvent
| count

Figure - zoom in


Try to select randomly only ten events:

SecurityEvent
| limit 10

Figure - zoom in


Use project function to view only Computer and Account columns:

SecurityEvent
| project Computer, Account

Figure - zoom in


Project all columns except the Computer column:

SecurityEvent
| project-away Computer

Figure - zoom in


Now, find the number of events of every EventID:

SecurityEvent
| summarize count() by EventID

Figure - zoom in


To illustrate the data, you can render the result as graphs. An example of a bar chart can happen through execution:

SecurityEvent
| summarize count() by EventID
| extend EventID = tostring(EventID)
| render barchart

Figure - zoom in


Do the same, but this time, draw a pie chart:

SecurityEvent
| summarize count() by EventID
| extend EventID = tostring(EventID)
| render piechart

Figure - zoom in

Additional reading:

  1. Learn the KQL you need for Azure Sentinel
← Prev Dashboard Next →